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Abstract. We develop a version of the picalculus Picost where channels are interpreted 
as resources which have costs associated with them. Code runs under the financial respon- 
sibility of owners; they must pay to use resources, but may profit by providing them. 

We provide a proof methodology for processes described in Picost based on bisimula- 
tions. The underlying behavioural theory is justified via a contextual characterisation. We 
also demonstrate its usefulness via examples. 



1. Introduction 

The purpose of this paper is to develop a behavioural theory of processes, in which 
computations depend on the ability to fund the resources involved. The theory will be 
based on the well-known concept of bisimulations, [Mil99] , which automatically gives a 
powerful co-inductive proof methodology for establishing properties of processes; here these 
properties will include the cost of behaviour. 

We take as a starting point the well-known picalculus, [SWOlj lMil99| . a language for 
describing mobile processes which has a well-developed behavioural theory. In the picalculus 
a process is described in terms of its ability to input and output on communication channels. 
Here we interpret these channels as resources, or services, as for example in [CGP08 . So 
input along a channel, written as c?(x) .P in the picalculus, is now interpreted as providing 
the service c, while output, written cl(v).P, is interpreted as a request to use the service c. 
A process is now determined by the manner in which it provides services and uses them. 

Viewed from this perspective, we extend the picalculus in two ways. Firstly we associate 
a cost with resources; specifically for each resource we assume that a certain amount of 
funds k u is charged to use it, and an amount k p is also required to provide it. Secondly 
we introduce principals or owners who provide the funds necessary for the functioning of 
resources. The novel construct in the language is [P] Q , representing the (picalculus) process 
P running under the financial responsibility of o. For example in [c\{v).Q] the use of 
the resource c is only possible if o can fund the charges. Similarly with [c?(cc) -Q} , but 
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here there is also the potential for gain for owner o; in our formulation o profits from any 
difference between the cost in providing the resource and the charge made to use it. 

Our language Picost is presented in Section [21 and is essentially a variation on Dpi, a 
typed distributed version of the picalculus, [Hen07| . The reduction semantics is given in 
terms of judgements of the form 

(T > M) — ^ (At> N) 

where T, A are cost environments. These have a static component, giving the costs associ- 
ated with resources, and a dynamic part, which gives the funds available to owners and also 
records expenditure. The usefulness of the language is demonstrated by a series of simple 
examples. 

But the main achievement of the paper is a behavioural theory, expressed as judgements 

(T > M) E awgt (A > N) (1.1) 
indicating that, informally speaking, 

(i) the process M running relative to the cost environment V is bisimilar, in the standard 
sense [Mil89], with process N running relative to A 

(ii) the costs associated with (A>iV) are no more, and possibly less, than those associated 
with (r t> M). 

Influenced by [KAK05] we first develop a general framework of weighted labelled transition 
systems or wLTSs, in which actions, including internal actions, may have multiple weights 
associated with them. We then define a notion of amortised weighted bisimulations between 
their states, giving rise to a preorder s E awgt t, meaning that s, t are bisimilar but in some 
sense the behaviours of t are lighter than those of s. From this we obtain, in the standard 
manner, a co-inductive proof methodology for proving that two systems are related; it is 
sufficient to find, or construct, a particular amortised weighted bisimulation containing the 
pair (s, t). 

This proof methodology is applied to Picost by first interpreting the language as an 
LTS, in agreement with the reduction semantics, and then interpreting this LTS as a wLTS, 
giving rise to (parametrised versions of) the judgements (jl.ip above. But as we will see 
these judgements can be interpreted in two ways. If the recorded expenditure represents 
costs then (A > N) can be considered an improvement on (r > M). On the other hand if 
it represents profits then we have the reverse; (r > M) is an improvement on (A > N) as it 
has the potential to be heavier. 

The details of this theory are given in Section and the resulting proof methodology 
is illustrated by examples. However in Section H] we re-examine this proof methodology, in 
the light of reasonable properties we would expect of it; and these are found wanting. It 
turns out that the manner in which we generate the wLTS for Picost from its operational 
semantics is too coarse. We show how to generate a somewhat more abstract wLTS, and 
prove that the resulting proof methodology is satisfactory, in a precise technical sense, by 
adapting the notion of reduction barbed congruence, |HT92| SW01, HR041 lHen07| . 

2. The language Picost 

2.1. Syntax: We assume a set of channel or resource names Chan, ranged over by a, b, c, ... , 
r, . . . whose use requires some cost, a distinct set of (value) variables Var, ranged over by 
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M, N ::= 

[T] Q Owned code 

M | N Composition 

(newr:R)M Scoped resource 

Identity 



T, U ::= 

u!{x) .T 
u\{v).T 

if v = v then T else U 
(newr:R)T 
T | U 
rec X. T 

X 

stop 



Provide resource u 
Use resource u 
Matching 
Resource creation 
Concurrency 
Recursion 
Recursion variable 
Termination 



Figure 1: Syntax of Picost 



x, y, . . ., and a further distinct set of recursion variables, X, Y, . . .; u ranges over identifiers, 
which may be either resource names or (value) variables. We also assume a set of principals 
or owners Own containing at least two elements, ranged over by o, u, p, who are implicitly 
registered for these resources and who finance their provision and use. The syntax of Picost 
is then given in Figured! and is essentially a very minor variation on Dpi, [Hen07]. The main 
syntactic category represents code running under responsibility, with [P] being the novel 
construct. As explained in the Introduction this represents the code P running under the 
responsibility of the owner o; intuitively o is financially responsible for the computation P. 
Thus in general a system is simply a collection of computation threads each running under 
the responsibility of an explicit owner, which may share private resources. The syntax for 
these threads is a version of the well-known picalculus, [SWOlJ. 

The type R of a resource describes the costs associated with that resource. There is 
a cost associated with using a resource, and a cost associated with providing it; therefore 
types take the form (k u ,k p ) where k u , k p are elements from some cost domain K. Here 
we take K simply to be N ordered in the standard manner, but most of our results apply 
equally well to variations. 

We employ the standard abbreviations associated with the picalculus, and associated 
terminology. In particular we assume Barendregt's convention, which implies that bound 
variables used in terms or definitions are distinct, and different from any free variables in 
use in the current context. In Figure [T] meta- variable v range over value expressions, whose 
specification we omit; but they include at least resource names a G Chan, variables x from 
Var, and elements of K. As usual we omit every occurrence of a trailing stop and abbreviate 

.T, u\{).T to u!.T, ul.T respectively. We are only interested in closed code terms, those 
which contain no free occurrences of variables, which are ranged over by P, Q, . . .; we use 
fn(P) to denote the set of names from Chan which occur freely in P. In the sequel we 
assume all terms are closed. 
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2.2. Cost environments: Since computations have financial implications, the execution 
of processes is now relative to a cost environment T. This records the financial resources 
available to principals, and the cost of providing and using resources; in order to be able to 
compare the cost of computations we also assume a component which records the expen- 
diture as a computation proceeds. Thus judgements of the reduction semantics take the 
form 

r>M — ► A D> iV 

where T, A are cost environments. 

There are many possibilities for cost environments; see [HG08] for an example which 
directly associates funds with resources. In the present paper we define them in such a way 
that the owners retain total control over their own funds. 

Definition 2.1 (Cost environments). A cost environment T consists of a 4-tuple (r°, T u , T p , 
r rec ) where 

• T u : Chan ^ if 

r u (a) records the cost of using resource a; this is a static component, and will not vary 
during computations 

• TP : Chan K 

T p (a) records the cost of providing resource a; again this is a static component 

• T° : Own ->> K 

r°(o) records the funds available to owner o; this will vary as computations proceed, 
as owners will need to fund their interactions with resources 

• T rec G K 

r rec keeps an account of the expenditure occurred during a computation; of course this 
also will vary as a computation proceeds. 

We assume that both functions T u , T p have the same finite domain, but not necessarily 
that T u (a) > T p (a) whenever these are defined. ■ 

We now define some operations on cost environments which will enable us to reflect 
their impact on the semantics of our language. The most important is a partial function, 

r - ' lP ^> A, which informally means that in V owner u has sufficient funds to cover the cost 
of using resource a and owner p has sufficient funds to provide it. Then A records the result 
of the expenditure of both o and p of those funds. There is also considerable scope as to 
what happens to these funds, and how their expenditure is recorded. Here we take the view 
that the provider p gains the cost which the user expends, to offset p's cost in providing the 
resource. 

Definition 2.2 (Resource charging). Let - ' lP ^> be the partial function over cost environ- 
ments defined as follows: T - ' ' P ^> A if 

(i) r°(u) > T u (a) and r°(p) > P» 

(ii) A is the cost environment obtained from T by 

(a) decreasing r°(u) by the amount T u (a) 

(b) increasing r°(p) by the amount T u (a) — T p (a), which may of course be negative 

(iii) Finally there is considerable flexibility in how this resource expenditure is recorded in 
A rec . We call resource charging for a standard when this is set to r rec + T u (a) — T p (a); 
that is we add to the record the gain obtained in using resource a. But in general 
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we allow functions rec a (— , — ), for each resource a, in which case we define A rec to be 

r rec + re c a (r>),p>)). ■ 

In general we allow the owners u and p in this definition to coincide. So, for example if 
r - ' ' -) A, then the effect of performing (a) above, followed by (b), is that A°(o) is set to 

r°(o)-rp(o). 

The use of two independent charges for each resource, F u and F p , may seem overly 
complex. A simpler model can be obtained by having only one combined charge; effec- 
tively we could assume F p (a) to be for every a, and so resource charging simply transfers 
the appropriate amount of funds from the user to the provider; this could be achieved by 
restricting attention to simple types, resource types R of the form (k u , 0). Indeed this sim- 
plification will be quite useful in order to achieve some theoretical properties of our proof 
methodology; see Definition 14 . 1 8 1 and Section [4. 21 Nevertheless the use of the two indepen- 
dent charges F p (— ) and F u (— ) allows scope for more interesting examples. In particular 
it provides considerable scope for variation in the manner in which resource expenditure is 
recorded in the component r rec ; see Example 12.81 for an instance. 
We also need to extend cost environments with new resources. 

Definition 2.3 (Resource registration). The cost environment r,a:R, is only defined if a 
is fresh to T, that is, if a is neither in dom(r") nor in dom(T p ). In this case it gives the new 
cost environment A obtained by adding the new resource, with the capabilities determined 
by R. Formally the dynamic components of A, namely A° and A rec , are inherited directly 
from r, while the static components have the obvious definition; for example if R is the 
type (k u , k p ) then A" is given by 

A u (x) = r u [ix = a 

\F u (x) otherwise 

We also assume that the resource charging for a in (r,a:R) is always standard. ■ 
Note that every cost environment may be written in the form 

Ri, . . .a n :R n 

where Fd yn is a basic environment; that is the static components F^ yn and F p d are both 
empty, and so it only contains non-trivial dynamic components. 



2.3. Reduction semantics: The pair (F > M) is called a configuration provided that 
fn(M) C dom(r u ) = dom(T p ), that is every free resource name in M is known to the cost 
environment F. The reduction semantics for Picost is then defined as the least relation over 
configurations which satisfies the rules in Figure EJ The majority of the rules come directly 
from the reduction semantics of Dpi, [Hen07 , and arc housekeeping in nature. The only rule 
of interest is (r-comm), representing the communication along the channel o, or in Picost 
the use of the resource a by owner u which is provided by owner p. However this reduction 

is only possible whenever the premise F - ' ' P ^> A is satisfied. As we have seen, this means 
that in F owner u has sufficient funds to cover the cost of using resource a and owner p has 
sufficient funds to provide it; and further A records the result of the expenditure of both u 
and p of those funds. 

The remainder of the rules are borrowed directly from the standard reduction semantics 
of Dpi; note that (r-STRUCt) requires a structural equivalence between terms; this again is 
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(r-comm) 

r (U ' Q ' P) > a 



r > [al(v).Q] u | [a?(x) .P] p — ► A > [Q \ Pf/4] p 

(r-split) 

r t> [m I n] — > r > [M} 1 [n] q 

(r-export) 

r > [(new r : R)P] — ^ T t> (new r : R) [P] 

(r-unwind) 

r > [rec x. T] — > T > [Tf ec *• 74] Q 

(r-match) 

r > [if a = a then P else Q] — ► T > [P] Q 

(r-mismatch) 

r D> [if a = b then P else Q] Q — >T> [Q] a^b 

(r-struct) 

M = M', r > M — > A > AT, N = N' 



T > Af ' 

(r-cntx) 

r>M- 



> A > N' 
A > Af' 



r>M|iv- 

(r-new) 
r,6:R > M 



A > Af ' | N 
> A.b:R\> N 



T D> (new b: R) Af — >• A [> (new 6: R)N 
Figure 2: Reduction semantics 



(s-extr) (newr:R)(Af [ N) = M \ (newr:R)iV, ifr^fn(Af) 

(s-COM) M\N = N | Af 

(s-assoc) (M\N)\0 = M\(N\0) 

(s-zero) Af | = Af 

[stop] = 

(s-flip) (newr:R)(newr':R')Af = (newr':R')(newr:R)Af 



Figure 3: Structural equivalence of Pi cost 



the standard one from Dpi, the definition of which is given in Figure EJ Also the final rule 
(r-new) uses the registration operation on cost environments, given in Definition 12.31 

Proposition 2.4. If (Ti [> Afx) is a configuration and (Ti \> Mi) — > (r 2 > Af 2 ) then 
(r 2 > Af 2 ) is also a configuration. 

Proof. Straightforward, by induction on the proof that (I^ t> Afi) — > (r 2 [> Af 2 ). When 
handling the rule (r-struct) it uses the obvious fact that Af = N implies that Af and 
have the same set of free names; this in turn means that Af = N implies r > Af is a 
configuration if and only if T > N is. □ 

The reductions of a configuration affect its cost environment, and as a sanity check we 
can describe precisely the kinds of changes which are possible: 
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Sys <= ( [Reader]p U b | [Library | Store]nb ) 

where 

Reader <^= rec R. goLib?(name) .(newr) reqR!(r, name). 

r?0) .goHome!(6).,R 
Library -<= rec L. reqR?(y, z) . yl(book(z)).L 

© (newr) reqS!(r, z).r?(b) .y\(b).L 
Store rec 5. reqS?(y,z) .y\(book(z)).S 



Figure 4: Running a library 

Proposition 2.5. Suppose (Ti > Mi) — > (T 2 D> M 2 ). T/ien 

(i) Ti = r 2; and (A > Mi) — ?> (A > M 2 ) whenever (A > Mi) is a configuration 

(ii) or Ti - ' ' P ^> r 2 , /or some resource a and owners u, p, and whenever (A > Afi) is a 
configuration A ( ' U ' a ' P ' > > A' implies (A > Mi) — ^ (A' > M 2 ) 

(iii) or Ti, a: R - ' ' P ^> r 2 , a: R, /or some (fresh) resource a, resource type R and owners u, p, 

and whenever (AoMi) is a configuration A, a: R — ' P ^> A ; , a: R implies (A>Mi) — > 
(A' > M 2 ) 

Proof. Again this is a simple proof by rule induction on the premise (TiOMi) — > (r 2 >M 2 ). 
Intuitively possibility (i) corresponds to a move where no communication occurs, (ii) is 
when the move is a communication along a channel a known to Ti, and (iii) when the 
communication is along a private internal channel. □ 

2.4. Examples: Formally Picost has only unary communication, but in these examples we 
will informally allow the communication of tuples along channels. In addition we will use 
the standard abbreviations associated with the picalculus. We also omit types for channels 
when they are not relevant; in such cases we assume that they cost nothing to provide, and 
that there is no charge for using them. It will be convenient to have an internal choice 
operator, with P @Q representing an internal choice between P and Q. This can be taken 
to be short-hand notation for (newc)(c!() | c?() .P \ c?() .Q), where c is a fresh channel. 

Example 2.6 (Running a library). Consider the system Sys from Figure HI which consists 
of three recursive components, a library user Reader, running under the responsibility of 
the principal pub, standing for public, a library interface Library and an auxiliary book 
depository Store, both running under some other principal lib. 

The programming of these components involves the systematic generation of reply chan- 
nels. Thus for example the Reader gets the name of a book with which to go to the library, 
generates a new reply channel r and submits this together with the name of the book via 
reqR; it awaits the book and then returns home. The Store is also very simple; it recur- 
sively awaits a request on reqS, consisting of a reply channel and a name and returns the 
appropriate book on the channel. Finally the Library service requests at reqR consisting of 
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a reply channel and a name. The book may be immediately available, in which case it is 
returned, or it may be necessary to send a request to the Store. 

Let us now consider the behaviour of these systems relative to two cost environments 
Tiocah r centra | representing two different strategies for providing library services. To focus 
on the relative cost of providing these services let us assume that their use is free, that is 
r"(a) = for every resource a, where * ranges over local, central, and that the amount of 
funds available is not an issue, that is T°(pub) = r°(lib) = oo. The cost of providing the 
services, is given in the table below, reflecting on the one hand the relative convenience to 
the Reader of the local services, and on the other the relative convenience to the authorities 
in providing central services. 





local 


central 


goLib 


1 


5 


goHome 


1 


5 


reqR 


3 


1 


reqS 


5 


1 



Finally let us take the counters r* ec to be initially set to 0. Note that r| oca | can be written 
as 

T dyn , goLib:Rf, goHome:Rf, reqR:R[, reqS:Rf 

where Rf, Rf, R[, Rf are the types (0, 1), (0, 1), (0, 3), (0, 5) respectively, and Td yn is a basic 
environment; r centra | has a similar representation, with a slightly different sequence of types. 
To exercise the system we use 

Book <= [gol_ib!(sir).goHome?(x) .stop] pu b 

to prod the Reader into action, where str is the name of some book. Consider the configu- 
ration 

Ci = r| oca | > (Book I Sys), 

and let us ignore the computation steps involved in generating reply channels, and general 
housekeeping such as the unwinding of recursive definitions, which in any event cost nothing. 
Because of the internal non-determinism in the library service there are essentially two 
computations from C\. If the Store is not used then after three computation steps which 
require funds it is in the state A| oca | \> Sys, where A[^ a! = 5. This represents the overall 
cost of this transaction, 2 of which is paid by pub and 3 by lib. 

On the other hand if the Store is used, then there are four computation steps which re- 
quire funding, after which the state G| oca | >Sys is reached, where ®\aca\ = 10- However using 
the central cost environment r centra | the two possibilities are A^ tra! = 11 and O^ntral = ^ 
respectively. In each eventuality the local implementation is more efficient, in the sense 
that the costs are systematically lower. ■ 

The charging regime for resources is such that their use effectively means a transfer of 
funds to the provider from the user, provided the cost of providing the resource is less than 
the charge for its use. This enables us to implement a systematic way of transferring funds 
between owners. 
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Sys <= [P] p | [N] n I [A] a | [R] r 
where 

P <^= rec P. (newri)news!(ri).(newr2)adv!(r2). 

ri?(n) .r2?((i) .publish?(z) .z!(n, <i).P 
A?" <^= rec N. news?(r) (newn)r!(n).A r 
yl rec A. adv?(r) .(newci)r!(d). J 4 
R rec it!. (newr)publish!(r). r?(n, d) .R 

Figure 5: Publishing 

Example 2.7 (Fund transfer). Consider the systems defined as follows: 

Sys <= [D] dad | [K] 

kate 

where 

D <t= req?(x) .(new s: R s )xl(s).sl.S 

K <^= (newr)req!(r).r?(y) .yl.H 

The size of the transfer from dad to kate depends on the type R s at which the new channel 
s is declared. Suppose this type is (0, k), and let T be a cost environment in which r°(dad) 
is at least k. Then there is a computation 

(r^Sys) ^* (A>[S] dad \ [H] kate ) 

in which A°(dad) = r°(dad) - k and A°(kate) = r°(kate) + k. U 

Example 2.8 (Publishing). Consider the system Sys in Figure 02 which has four compo- 
nents: 

(a) publisher: uses a news service via the resource news, uses an advertising agency via the 
resource adv and provides the resource publish 

(b) news service: provides a service via news 

(c) ad agency: provides a service via adv 

(d) reader: uses the resource publish 

The viability of publishing depends of course on the cost associated with these resources. 
As an example consider an environment T327, of the form r^ n , news: R n , adv: R a , publish : R^, 
where these types are (3, 1), (2, 0), (7, 1) respectively, and let us assume T^y is initialised 
to 0. Furthermore, since we are concentrating on the publisher, let us assume that the 
resource charging is defined so that only the effect on the owner p is recorded. Refering to 
Definition 12.21 this means that resource charging is standard for publish but we need to set 
rec a (k u , k p ) to be — k u , if a is either news or adv. 

Now consider a computation from the configuration T3i7 [> Sys. Provided the owners 
have sufficient funds, specifically r°(p), T°(n) and r°(r) must be at least 5, 1, 7 respectively, 
then we have a computation 

(r 3 i 7 > Sys) ^* (Ai > Sys) 

where A^ ec = 1; the record part of the initial environment was set to 0, during the compu- 
tation it was set to —3 after the publisher uses the news resource, then to —5 after using 
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adv; finally, when the reader uses the publish resource, this is increased by (7 — 1) to give 1. 
Because we have defined expenditure recording to reflect the point of view of the publisher, 
this represents the fact that the publisher has made a profit of 1 as a result of this sequence 
of transactions. Note also that at this point A°(p) is Tg^p) + 1. 

We can also see what happens when the costs of using resources is changed. Let r 2 i6 
be the environment in which the cost of all three resources are decreased by 1. Then we 
have the computation 

(r 216 > Sys) ^* (A 2 > Sys) 
where now A 2 ec = 2; this represents an increase in profits for the publisher. ■ 

Example 2.9 (Kickbacks). Suppose in Figure Owe change the situation so that the pub- 
lisher obtains a kickback from the ad agency when an ad is downloaded. The modified code 
is given by 

Pk <= rec P. (newri)news!(ri).(newr2)(new k: K)adv!(fc, r 2 ). 

ri?(n) .r 2 ?(d) .publish?(z) .k?.z\(n, d).P 

A K <= rec A. adv?(£;,r) .(nevjd)r\(d}.(A \ k\) 

and let Sys^ denote the revised system. The size of the kickback depends on the parameters 
in the type K. In Sys the ad agency receives the benefit 2 for supplying the ad; if we set 
K to be (1,0) then in Sys^- this benefit is split equally with the publisher. Under the same 
assumptions as in Example 12.81 we have the computations 

(r 327 > Sys^) — >* ($i > Sys^) and (r 2 i 6 > Sys^-) — >* ($ 2 > Sys K ) 

where now $| ec ,$ 2 ec are 2,3 respectively, indicating more profit in each case for the pub- 
lisher. ■ 



3. Compositional reasoning 

The aim of this section is to develop a proof methodology for Picost. The idea is to 
define a behavioural preorder 

(T>M)Q(A>N), (3.1) 

meaning that in some sense (r D> M) and (A [> N) offer the same behaviour, but the latter 
is at least as efficient as the former, and possibly more. We follow the standard approach of 
defining the preorder (13. 1 as the largest relation between Picost configurations satisfying a 
transfer property, associated with the ability of processes to interact with their peers. We 
thereby automatically get a co-inductive proof methodology for establishing relationships 
between configurations. 

In fact, referring to (I3.ip . it is better to move away from terminology such as efficiency 
as the interpretation depends very much on the nature of the units being recorded. In 
Example 12.61 these are costs and in such a scenario it is reasonable to interpret (13. ip as 
saying (A o N) is an improvement on (r [> M) as it potentially involves less cost. On the 
other hand in Example 12.81 the units are profit (for the publisher) , and here (r > M) would 
be considered to be an improvement on (A o N), as there is potential for more profit (for 
the publisher). 
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We therefore move to the more neutral terminology of weights. However we can not 
simply base the formulation of (|3.ip on the relative weight associated with each individual 
action, as the following example shows. 

Example 3.1 (Amortising costs). Consider the simple system 

UD <= [rec x. up!.down!.x] Q 

and let T25 be an environment in which the unique owner o has unlimited funds, the use of 
up costs 2 and the use of down costs 5. If we compare (r25 E> UD) with (T42 > UD), where 1?42 
is defined analogously, then intuitively the latter is more efficient than the former, despite 
the fact that in the latter the action up is more expensive; this is compensated for by the 
relative costs of the other action down. ■ 

The remainder of this section is divided into three subsections. In the first we present a 
theory of amortised weighted bisimulations, based on so-called weighted labelled transition 
systems, wLTSs. This gives rise to a parametrised behavioural preorder, which we call the 
amortised weighted bisimulation preorder. The aim is to apply this theory to Picost; with 
this in mind, in the second subsection we present a (detailed) labelled transition semantics 
for Picost, and show that it is in agreement with the reduction semantics given in Figure EJ 
In the third section we show how this automatically generates a wLTS, which in turn 
gives us an amortised weighted bisimulation preorder between Picost configurations. We 
demonstrate the usefulness of the resulting proof methodology by re-examining the examples 
from Section [2.41 

3.1. Amortised weighted bisimulations: Here we generalise the concepts of [KA K05J; 
our aim is to apply them to Picost but our formulation is at a more abstract level. 

Definition 3.2 (Weighted labelled transition systems). An weighted labelled transition 
system or wLTS is a 4-tuple (S, Act T , W, — >) where S is a set of states, W set of weights, 
and — > C S x Act T x W x S. Here Act T denotes a set of action names Act to which is 
added an extra distinct name r which will represent internal action. We normally write 
s -^- w s' to mean (s, [i,w, s') £ — >. As a default we take the set of weights to be Z, the 
set of integers, both negative and positive. ■ 

A wLTS is called standard whenever there is a cost function weight : Act —> W with 
the property that s — — > w s' if and only if w = weight (a) for every a € Act. So in a standard 
wLTS there is a unique weight associated with external actions, although internal actions 
may have multiple possible associated weights, reflecting the different ways in which these 
actions may be generated from external moves. The wLTS which we will (eventually) 
generate for Picost will be standard, but the development below will not require that we 
are working with standard wLTSs. 

Relative to a given wLTS weak moves are generated in the standard manner, although 
the associated weights need to be accumulated: s =^> w s' is the least relation satisfying: 

• s — > w s implies s =^ tu s 

• s ==> w s , s — > v s implies s ==>( w + v ) s 

• s — > w s , s =^>v s implies s ==3*r w + v ) s 
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We also use a variation on the standard notation s ==> w t from |Mil89j : when fi is any 
action other than r this denotes s ==> w t, but when it is r it means either that s ==> w t or 
that s is t and w = 0. 

Definition 3.3 (Amortised weighted bisimulations) . A family of relations {lZ n n £ N} 
over the states in a wLTS is called an amortised weighted bisimulation whenever s TZ n t: 

(i) s -^-+ v s' implies t ==> w t' for some t', w such that s' Ji( n + V - W ) i 1 

(ii) conversely, t —± w t' implies s ==> v s' for some s', v such that s' n( n + v - w ) f' ■ 

Here the parametrisation with respect to N puts an extra requirement on the standard 
transfer properties associated with bisimulations. In (i) and (ii) above the index (n + v — w) 
must be in N, that is must be non-negative. So for example if the amortisation n is then 
v, the weight of the left hand action, must be greater than or equal to w, the weight of the 
right hand action. For this reason a standard bisimulation, which ignores the weights, may 
not be an amortised weighted bisimulation. But the more general effect of the parameter n 
in the definition is to allow a relaxation in the comparison between the actual weights of the 
actions in the processes being compared; this point is explained in detail in Example 13.61 

We can mimic the standard development of bisimulations and write s Ewgt s> to say 
that there is some amortised bisimulation { TZ n \ n £ N } such that s 7Z m s'. Weighted 
bisimulations are (point-wise) closed under unions, and therefore we can mimic the standard 
development of bisimulation equivalence, [Mil 89] . to obtain the following: 

Proposition 3.4. 

(a) The family of relations { E^ gt | n € N } is an amortised weighted bisimulation. 

(b) This family is the largest (point-wise) amortised weighed bisimulation. 

(c) If s E™ gt t and s =^ v s' then t =^> w t' for some t', v such that s' ^ t' . 

Proof. Straightforward, using standard techniques. □ 
When we are uninterested in the exact amortisation used we write simply s Q wgt t, 
meaning that there is some k > such that s E^gt ^> an d we refer to this preorder as the 
amortised weighted bisimulation preorder. 

Proposition 3.5. 

(a) The relations Ewgt are reflexive 

(b) Sl s 2 , s 2 S3 ^mpl^es s x s 3 

(c) E™gt — — wgt whenever m <n. 

Proof. In each case it is sufficient to exhibit a suitable amortised weighted bisimulation, 
that is a suitable family of relations over states. For example to prove (b) we let K k , for 
k > 0, be the set of pairs (si, S2) such that si E" gt S3 and S3 E^gt s 2 for some state S3 and 
some numbers n, m such that k = n + m. 

To show { K k I teN) is an amortised weighted bisimulation let us suppose s\ lZ k s 2 
and si -^-fco s' x ; we have to prove 

s 2 s ' 2 for some s' 2 satisfying si U {k+v - w) s 2 (3.2) 

(The proof of the symmetric requirement is similar.) 
(i) From s% E^gt s 3 we know S3 ==> u s 3 such that s[ Ewgl" ^ s 3 
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(ii) From S3 Ewgt s 2 , and the final part of the previous Proposition, we know s 2 s' 2 

such that s' 3 Q^ u ~ w) s' 2 . 

But since (n+v — u) + (m + u — w) = (k + v — w) we have Ji( k + V - W ) s ' 2 anc l the requirement 
(|3T2l) follows. 

The proof of part (c) is similar using the family of relations { 1Z 11 \ n 6 N } , where 
s lZ n t whenever s Ewgt ^ f° r some m < n, while the proof of part (a) uses the family where 
each TZ n is the identity relation. 

□ 

Example 3.6 (Amortising costs continued). Here we continue with Example 13.11 Shortly 
we will see a systematic way of associating weights with actions in Picost. But informally 
we can simply say 

r up! down! n 
1-25 >2 ^25 ^5 L-25 

where C25 and P25 are abbreviations for the configurations (r25 > UD), respectively, (T25 l> 
[downl.rec x. up!.down!.:r] ), and analogously for (T42 D> UD). Then relative to this induced 
wLTS we can show that the following is a weighted bisimulation: 

TZ n = {(P 2 5,^42)}U{(C25,C 4 2> I n>2} 

It follows that 

(r 25 > ud) rl gt (r 42 > ud) 

However (r 42 > UD) j0^ gt (T 25 > UD) for any k. To see this suppose {1Z n \ n > 0} is 
a weighted bisimulation; we prove by induction on k that 

(^42,^25) 0^ (fc+2) (3.3) 

(C42,c 25 ) ^n k 

First notice that the pair (D42, D25) can not be in 1Z 2 ; this is because the move D42— — — >2^42 
can not be matched by a move V 42 =^> w C 42 such that C 42 TZ^ +2 -^ C 25 . The only only 
possible candidate is the move D42 down > 5 C42 and 1Z~ l does not exist. 

From this fact it follows immediately that the pair (£42^25) can not be in 1Z°; for 

matching the move C42 -^>4 P42 would require the impossible, that (V 42 ,T> 2 ^) be 1Z 2 . In 
other words we have shown (|3.3p in the case when k = 0. 

Suppose it is true for k; the proof that it follows for (k + 1) is also straightforward. 
This is because 

• for (V 42 ,V 25 ) to be in ft( fe + 3 ) we would require that (C42,C 25 ) be in ^( fc+3 + 2 " 5 ) which 
contradicts the induction hypothesis 

• for (C42,C 25 ) to be in ftt^ 1 ) we would require (T)^,!)^) to be in we have 
just shown not to be possible. 

It is important that the set of natural numbers N is used in Definition [331 or at least that 
the family of relations be parametrised relative to a well-founded order. If instead we allowed 
families of relations { R z \ z € Z }, where Z is the set of all integers, positive and negative, 
then (r 42 > UD) C° ^ (r 25 > UD) would follow. Simply letting K z = {(C42, C 25 ), (£>42, V 25 }} 
for every z £ Z, we would obtain an extended family of relations trivially satisfying the 
requirements in Definition 13.31 Indeed in general, using Z in place of N, there would be no 
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difference between amortised weighted bisimulations and standard bisimulations (where all 
weights are ignored). ■ 

3.2. An operational semantics for Picost. As a first step in applying the theory of 
amortised weighted bisimulations to Picost we give an operational semantics for the language 
in terms of a (standard) LTS. 

In Figure [6] and Figure [7] we give a set of rules for deriving judgements of the form 

(r>M) A (A>iV), 

where A can take one of the forms 

(i) internal action, r 

(ii) input, (u, (f:R)a?v, p): input by resource a of a known or fresh name, or value, where 
p is the provider of the resource and u the user 

(iii) output: (u, (f: R)a\v, p): delivery of a known or fresh name, to resource a, where again 
p is the provider of the resource and u the user. 

We restrict attention to well-formed A, that is, in the input and output actions each 7~j 
must occur somewhere in v, and applications of the rules must preserve well-formedness. 
However note that because Picost only uses unary communication the vectors (r), (6) will 
have length either or 1. 

The rules are inherited directly from the corresponding ones for Dpi, [Hen07], and for 
the sake of clarity obvious symmetric rules, such as for (l-COMm) and (l-cntx), are omitted; 
Barendregt's convention is also liberally applied, for example in omitting side-conditions to 

(l-cntx). The only point of interest is the use of the preconditions T - - ' 2 ^> A in (l-in) 
and (l-out); communication is only deemed to be possible if it can be paid for in some 
manner. Note that u in (l-in), and p in (l-out) are free meta- variables. So for example 

the simple process [al(v).P] can perform the actions [a\(v).P] A > [P] Q for every 

owner o' £ Own such that T — — — \ A. Also in the communication rule (l-COMm) any new 
resources used in the communication, f : R remain private but in general the resulting cost 
environment A will be different from T; the internal communication involves the use of a 
resource, and the change from T to A will reflect the associated costs. 

We can perform a number of sanity checks on these rules. For example one can show 

that if (r*i > Pi) (h H- )Q (T 2 > P 2 ) then T 2 = A,b:R for some A such that r\ (u ' a ' p) > A, 
for some u, p, where a is the channel used in a; a more detailed analysis of the possible 
judgements is given in the two lemmas below. The actions also preserve configurations: 

Proposition 3.7. If(T 1 \>M 1 ) is a configuration and (ri>Mi) A {T 2 >M 2 ) then (r 2 >M 2 ) 
is also a configuration. 

Proof. A straightforward induction on the inference of the judgements. □ 

We also have a consistency check with respect to the reduction semantics of Section [2j 
stated in the theorem below; the proof requires two technical lemmas. 

Lemma 3.8 (Deriv-output). Suppose T o M (u,(r -f^ a!,; ' p) A > Then 
(i) A = (r',f:R) for some V 
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(l-in) 

r (u ' a ' o) ) a 



T>[a?(x).P] (u ' a ^' 0) A>[Pf/4] c 



v € dom(r u ) or v not a channel 



r (u ' a ' o) > a 



r>[a?(x).P] M ^ a?M A,6:R>[Pf/4] c 



b dom(r") 



(l-out) 



> A 



T>[a\(v).P] { °^' p) A>[P] Q 



(l-comm) 

, r (u,(f:R)a?t),p) . _ .x „ ^ (u,(f:R)o!t),p) . _ ~ , T , 

r > M | A h> A > (new? :R)(M' | A') 

Figure 6: An action semantics for Picost: main rules 



(l-open) 

r,b:R>M (u '^' p) T'>M' 
r>(new6:R)M (u ' ( ^ a!M V > M> 



(l-export) 

To [(newr:R)P] ^T> (newr:R)[P] Q 



(l-split) 

r > [m I iv] G Ar> [m] I [a] c 



(l-unwind) 

r > [rec x. T] Q A r [> [Tj rec T /4] Q 



(l-match) 



(l-mismatch) 



r > [if a = a then P else Q] ^Tt> [P] Q V > [if a = b then P else Q] H> T > [Q] Q 



o# 6 



(l-cntx) 

r > m A r > m ' 



(l-cntx) 

T,b:R> M Ar',b:R\> M' 

r > (new 6: R)M Af'o (new 6: R)M' 



6 n(A) 



Figure 7: An action semantics for Picost: more rules 



(ii) r r' 

(iii) M = (newf :R)(M' | [a!(v).Q]„ 

(iv) TV = (M' | [Q] u ) 



(v) e>M 



(u,a,p'). 



0', f: R > A" whenever — — — > &' , for any owner p'. 
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Proof. By induction on the derivation ofroM^i-l ^A^iV. □ 

Lemma 3.9 (Deriv-input). Suppose T > M ^ u '^-^- v ' p A > A/". Then 

(i) A = (r',f :R) for some V 

(ii) r r> 

(iii) M = (newc:C)([o?(a?) .T] p | M') 

(iv) iY = (newc:C)([rf/4] p |M') 

(v) G [> M ,v hV &,r:R' > N whenever 9 v ' ,H; > 6', /or any owner u', and types 
(R'). 

Proof. Again a straightforward induction on the derivation Ft> M H?' A > TV. Note 
that in part (v) arbitrary types (R') can be used because there is no restriction on the type 
R in the second part of the rule (l-in) in Figured □ 

Theorem 3.10. T \> M — ► At> N if and only ifT\>M^A\>N'for some N' such that 
N = N'. 

( Outline). First we need to show the auxiliary result that structural equivalence is preserved 

by actions. That is V > M A A > M' and M = N implies r > N A A t> N' for some 
N' such that M' = N'; this is proved by induction on the proof of the fact that M = N 
from the rules in Figure O Then a straightforward proof by induction on the derivation of 
T > M — ► A\> N from the rules in Figure [2] will show that this implies r D> M h> A > N' 
with = N'; the auxiliary result is required when considering the rule (r-STRUCt). 

To prove the converse we also employ the two previous lemmas, giving the structure 
of input and output actions. Suppose r > M i-)- A > N; we prove by rule induction that 
r > M — > A > N. The only non-trivial case is when this judgement is inferred using the 
rule (l-COMm), or its dual. So without loss of generality we know 

• M = Mi | M 2 

• N = (newf :R)(Aq | N 2 ) 

„ (u.(f :R)a?D,p) . ~ 

• r > Mi V A h4 A,f:R D> Ni 

^ , , (u,(f :R)a!ti,p) ~ 

• T>M 2 4 A,f:R> A 2 

The previous two lemmas can now be applied to obtain the structure of Mi, M 2 , Aq and N 2 , 
up to structural equivalence; by rearranging Mi \ M 2 , again using the structural equivalence 
rules, an application of (r-COMm) followed by one of (r-STRUCt) gives the required T t> 
M — > A\> N. □ 



3.3. A proof methodology for Picost. The operational semantics given in the previous 
subsection can be used in a straightforward way to obtain a wLTS for Picost configurations. 
It suffices to attach a weight to the actions, which can be done in a systematic manner: we 
write 

(r > M) ^ w (A > N) 

whenever 

• (r > M) A (A D> N) can be deduced from the rules in Figure [6] and Figure [3 
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• w = (A rec - r rec ) 

Note that the weight associated with an action is ultimately determined by the manner in 
which expenditure is recorded in the cost environments; this may reflect the cost of providing 
the resource in question, as in Example 12 .6} the profit to be gained by a particular owner 
in the use of the resource, as in Example 12.81 or combinations of such concerns. 
We can now apply Definition 13.31 to this wLTS to obtain a family of preorders 

(T>M)nl gt (A>N) (3.4) 

between Picost configurations. However we must be somewhat careful here, as some of 
the actions used involve bound names; but by a systematic application of Barendregt's 
convention, mentioned on page[3l confusions between these and free names can be avoided. 

As is well-known, the relations (|3.4f) come equipped with a powerful co-inductive proof 
methodology. In order to prove (r > M) Q^gt (A > N) for a particular k it is sufficient 
to exhibit a family of relations { TZ n \ n € N } which satisfy the transfer properties of 
Definition 13.31 such that lZ k contains the pair (r r> M, A > N) . In the remainder of this 
section we apply this proof methodology to the examples in Section [2 This allows us to 
now reason about the behaviour of systems, how they interact with other systems, rather 
than reason simply about their computation runs. 

Example 3.11 (Running a library, revisited). Refering to the definitions in Example 12.61 
by exhibiting a witness weighted bisimulation it is possible to show 

(r ce ntrai > [Reader] pub ) j=° gt (r, oca | > [Reader] pub ) 

This is despite the fact that the local use of the service reqR is more expensive than the 
central use; this is compensated for by the fact that both goLib and goHome are less ex- 
pensive locally. It is also worth noting that although the use of resources in both r centra | 
and r| oca | is free, in the generated wLTS the output actions actually have non-zero weights 
associated with them. For example, a typical run in this wLTS from (r centra | > [Reader] pu b) 
takes the form 

,_. pi—. I -I \ gol_ib?n (r)reqR!(r,n) goHome!6 

(r c entrai > [Reader] pub ) -2 > 5 . . . H . . . -5 > 5 . . . 

whereas the corresponding local run is 

. rp. .I \ gol_ib?n (r)reqR!(r,n) goHome!6 

(riocal > [ReaderJ pub ) > 1 . . . > 3 . . . >i . . . 

To compare the efficiency of the library service itself we consider the following definitions 

Lib| oca | <= (new reqS:R^) ([Library | Store]nb) 

Lib centra | <= (new reqS:R^)( [Library | Storejnb) 

where, as explained in Example 12.61 R/\ Rc> are the types (0, 5), (0, 1) respectively; here the 
interaction between the library and the store has been internalised, with types reflecting 
the relative cost of local and central access. Both these configurations simply provide the 
service reqR, and viewed in isolation the local service is not more efficient than the central 
one; no matter what n we choose, we have 

(rcentrai > Lib centra |) ^wgt (Tlocal > Lib| oca |) (3.5) 
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However if we combine the library service with the reader then the overall systems is locally 
more efficient than the centralised one: 

(r c entral > SyS centra |) (r, oca | > SyS, oca |) (3.6) 

where 

Sysiocal <= (newreqR:R^)([Reader] pub | Lib, oca |) 

SyWral ^ ( newre q R:R r)([ Reader ]pub I Libcentral) 

We should point out that in (|3.5p and (|3.6p we have used the full cost environments 
Tiocah r centra |, despite the fact that some of the resources have been restricted in the systems; 
this is simply in order to avoid the definition of even more environments. 

As an example of how such statements can be proved see the Section [Aj] in the appendix 
for a witness bisimulation which establishes (|3.6p , ■ 



4. Contextual characterisation 

In the previous section we have demonstrated that the preorders Ewgt provide a useful 
co-inductive methodology for comparing the behaviour of processes, relative to resource 
costs. In this section we critically review its formulation, revealing some significant inade- 
quacies, and offer a revised version where these are addressed. 

Informally we would expect at least the following two properties of a proof methodology: 

(a) It should support compositional reasoning, whereby the analysis of process behaviour 
can be carried out structurally. 

(b) Soundness: Any relationship established between the behaviour of processes using the 
proof methodology should be justifiable in some independent manner. 

Further we could hope for: 

(c) Completeness: any pair of processes which are intuitively behaviourally related, should 
be provably related using our methodology. 

Relative to our language Picost the first criteria, (a), is straightforward to formalise, as 
a property of the preorders E^ gt . 

Definition 4.1 (Compositional). A relation 1Z over Picost configurations is said to be 
compositional whenever (r > M) TZ (A > N) implies 

(i) (r r> M \0) H m (A>N\0), provided (r > M \ O) and (A D> N \ O) are configurations 

(ii) (r,r:R[>M) 1Z m (A,r:R>N). U 

We could of course demand that the relation 1Z should be preserved by all the operators 
in the language, but for the purposes of the discussion to follow it is sufficient to concentrate 
on the two most important ones. 

Our first remark is that the relations E^ gt are not compositional, and therefore our 
proposed proof methodology does not support compositional reasoning. 

Example 4.2 (Non-compositionality). Let T be a cost environment with two owners o, p 
and two resources a, b. Suppose further that r°(o) = T°(p) = oo, while T u {a) = 20, T u (b) = 
10; the remaining fields in T are unimportant, but to be definite let us say that T p (a) = 
r p (6) = 0. Let A be another cost environment with the same resources, with both usage 
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costs being 10, and the same owners, but with the difference that A°(o) = 10. Then it is 
easy to check that 

r > [al] a E^gt A > [al] Q 



However one can also show that 

=wgt 



r > [all I Mo £w St A > [o!] | [6i; 



The problem occurs when we consider the action (ri> [al] \ [bl] ) ^ *-4 P \o (Ti > [al] | [stop] ). 

This can be matched by the action (A > [al] \ [bl]o) ^ io (Ai > [al] Q \ [stop] ) but at 
the expense of exhausting all of o's funds. A°(o) is now set to and therefore the action 

(Ti > [al] | [stop] ) ^ ' < -> P \o (Ti D> [stop] | [stop] ) can not be matched by any action from 
(Ai D> [all | [stop] ). 

The other criteria, (b) and (c) above, are more difficult to formalise. But even in the 
absence of a precise formalisation we can also show that our proof methodology runs into 
difficulties with them, by considering a proposed touchstone family of preorders Eb chav 
, n > 0, which incorporate some intuitive properties which we would expect. First an easy 
example, essentially taken from [HR04J. 

Example 4.3 (Problem with output types). Consider the two configurations C and T>, 
denoted by 

T [> (newr:Ri)([a!(r).stop] ), T > (new r : R 2 )([a!(r). stop] Q ) 

respectively, where the types Ri, R2 are different, and T has sufficient resources for a to be 

exercised; that is V - ' ' P ^> V for some owner p and some V. 

Then it is easy to see that C / t* rgt 'D for any k because the only actions which the con- 
figurations can perform are different; they are labelled (p, (r:Ri)a!r,o) and (p, (r:R2)a!r,o) 
respectively. 

However it is difficult to envisage any context in which these two configurations can 
be distinguished; for any reasonable definition of the touchstone relations we would expect 
C Ebehav ^ t° be true. Thus our proof methodology will not be complete. ■ 

Our next example focuses on some of the novel features of Picost. 

Example 4.4 (Problem with owner identification). Let C, T> denote the configurations 

r>[a!] 0l) T>[a!] 02 

respectively, where oi, 02 are two different owners, and r°(oi) = r°(o2). 

Here again we would expect C E^ehav ^ ^° ^ e ^ rue because there is no mechanism in 
Picost which would enable an observer to discover who was funding the use of the resource 
a. However assuming some owner p has sufficient funds in V to provide the resource a, we 
have C t I> again because the configurations perform different actions, labelled (01, a!, p) 
and (02, al, p) respectively. ■ 
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4.1. Behavioural preorders. In order to address the inadequacies with our proof method- 
ology let us first give one possible formalisation of the touchstone family of behavioural 
preorders which we have been refering to as EjJehav' n — 0j we adapt the theory of reduction 
barbed congruences, [HT921 ISWOll IHR 04] to Picost, often refered to informally as contextual 
equivalences. For simplicity we assume that resource charging is always standard, and that 
the only values used are channel/resource names. 

We first need to introduce into the reduction semantics some record of the costs being 
expended. Let us write T\>M — > c A D> N whenever r > M — > A > N can be deduced from 
the reduction rules, in Figure [2j and (A rec — r rec ) = c. This is generalised in the obvious 
manner to Y > M — >* d A \> N by the accumulation of costs. 

Definition 4.5 (Cost improving). We say that the family of relations {lZ n \ n E N} over 
configurations is cost improving whenever C 1Z m T> for any m, then 

(i) C — > c C implies V — >* d V such that C 7Z ( - m+c -^ V 

(ii) conversely, V — > d V implies C — >* C such that C n (m+c ~ d ^ V. ■ 

This is a natural generalisation of the notion of reduction closure or reduction bisimulation 
from LTSs to weighted LTSs; for a justification of its use in defining behavioural preorders 
see Chapter 2 of [SWOlj . 

Definition 4.6 (Observations). Let us write (Tt>M) JJ. a? whenever (T>M) — >* (A>JV) 
where for some owner o 
(i) N = (newc)([a?(x) .T] \ N'), and a does not occur in (c) 

.... (u,a,o) . . . 

(uj A > A for some u and A . 

The predicate (r > M) JJ. a! is defined in an analogous manner. Note that here the owner o 
has to be able to pay the appropriate costs for the barb. 

Then we say that the family of relations { 7Z n | n S N } over configurations preserves 
observations whenever, for any n, C\ TZ n C2 C\ JJ- o if and only if C2 JJ- o. ■ 

Note that unlike [HG08: we do not record the cost of making observations; nor do we 
observe the owner responsible for the observation. This means that our notion of barb is 
more elementary. 

Example 14. 21 demonstrates that demanding a behavioural preorder to be compositional, 
in particular that it be preserved by arbitrary parallel contexts, is very problematic as 
intuitively it gives observers or external users of a system access to all the funds available 
to owners of the system. Here we address this issue by defining a relativised version of 
compositionality, relativised to the set of owners whose funds are available to external 
users. 

Definition 4.7 (O-contextual). Let be a subset of the owners Own. A relation 1Z over 
Picost configurations is said to be O-contextual whenever (r > M) 1Z (A > N) implies 

(i) (r > M I [P] ) K (A > N I [P] ) for every o G , provided (T > M \ [P] ) and 
(A > iV I [P] ) are configurations. 

(ii) (r,r:R>M) K (A,r:R>N). ■ 

Combining these three properties we obtain: 

Definition 4.8 (The contextual improvement preorder). Let { Eo- C xt I n ^ N} be the 
largest family (point-wise) of O-contextual relations over configurations which preserves 
observations, and is cost improving. ■ 
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The idea here is that we only consider the behaviour of systems relative to contexts in 
which observers, or users of the systems, can use code running under the financial authority 
of the owners in 0. At one extreme we can take to be the entire set of owners Own and 
then observers have access to all owners, and their funds; this gives Compositionality, as 
expressed in Definition 14.11 The other extreme is when observers have access to none of the 
owners users in the systems under observation; in this case the observers have to provide 
their own funds, to support observations. 

We now set ourselves the task of modifying the proof methodology of Section [331 so that 
the informal properties (a), (b), and (c) are enforced, relative to the touchstone preorders 
— O cxf First note that Example 14.41 and Example 14. 31 still apply when the informal relations 
— behav are instantiated by the formal Eo-cxt- But ^ ne problems presented in Example 14.21 
depend on the choice of observers 0: 

Example 4.9 (Unsoundness). Let T, A be as defined in Example 14.21 Then we have 
already argued that T o [a!] Ewgt A > [a\] . Here we argue that T > [a!] Q £o. cxt A > [a\} . 
whenever o € 0. For otherwise, this would imply 

r > [o!] | [P] Eoxxt A > [o!] I [P]o 
for any process P which ensures that the configurations are still well-formed. 

However for a contradiction take P to be a?. (6! | 6?.cj!) where oj is some cost-free fresh 
channel. Then we can make the observation cj! on the left hand configuration but not on 
the right hand one. ■ 

This example shows that in general O-observers can deplete the resources of any owner 
in 0, which is important if those owners have only finite funds. A significant consequence 
is given in the next proposition, which limits the applicability of this behavioural preorder 
for arbitrary 0. 

Proposition 4.10. If (T t> M) Eo- cxt (A > N) for any n, then T°(o) = A°(o) for every o 
in 0. 

Proof. Suppose (T D> M) E<>cxt (A t> N) for some n, with o an owner in 0. We prove that 
k < r°(o) if and only if k < A°(o). 

Consider the process O = [(newr:R)r! | r?.u;!()] , where w is a fresh cost-free channel, 
where R is the resource type (k,0); so r costs k to use but is free to provide. Then by 
compositionality we know 

T,u : E >M | O C£. cxt A,uj : E> N \ O 

where E denotes the trivial type (0,0). 

If k < r°(o), we have T,u : E [> M \ O JJ- and therefore, by the preservation of 
observations, A, u : E D> N \ O JJ- oj\. But this is only possible if k < A°(o). 

The converse argument is similar. □ 

In effect this means that the behavioural preorders Eo-cxt can no ^ used to differentiate 
between configurations in which owners from accrue different levels of funds; a typical case 
in point occurs with the systems in Example 12.91 For this reason we are primarily interested 
in the extreme case, when the observers have no access to the funds of the owners in the 
systems under investigation. Let us introduce some special notation for these situations. 

Let e denote some arbitrary owner, intuitively taken to be external to the systems 
under observation. For an arbitrary cost environment T we use T e to denote the extended 
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cost environment obtained by adding e to the domain of r° and setting r°(e) to be oo; in 
particular T e is only denned whenever e is new to the domain of T°. Finally we use the 
notation 

r > M C? cxt A > N 

as an abbreviation for 

r e >MC^ e}:cxt A e >iV 

Here the observer has no access to the owners' resources used in the configurations C, T> 
but has an infinite amount of resources with which to run experiments. 

Our revised proof methodology is based on endowing Pi cost with the structure of a 
different, more abstract, wLTS, which takes into account the set of owners whose funds are 
available to observers, and employing Definition 13.31 to obtain a more abstract family of 
co- inductive preorders. In order to obtain our more abstract wLTS we forget some of the 
details in the labels of the actions of the operational semantics for Picost, given in Figure [6] 
and Figure [TJ so that they reflect not what processes can do, but rather what external 
observers with access to the funds in can observe them doing. This leads to abstract 
labels of the following form, ranged over by \i: 

(a) internal label r as before 

(b) input label (u, (f : R)a?u) 

(c) output label ((r)a\v, p) 

Here only one owner is recorded in the external actions; for input we note the user of the 
resource u while for output it is the producer p. 

Definition 4.11 (O-actions). For each abstract label \x let the corresponding O-action 
C ^ V be defined by 

(a) (ri t> M) -^>2 (r 2 > N) whenever (r x > M) k> (r 2 > N) can be deduced from the rules, 
where (r^ ec - T[ ec ) = w. 

(b) (Ti > M) ((f)tt!6,p) > ° (T 2 > N) whenever p e and (T 1 > M) (u ' ( ^ a!6 ' p) (p 2 > N ) can 
be deduced from the rules for some (R), and some owner u, where (T^ — r^ ec ) = w. 

(c) (ri > M) (u ' (r " :R)a?&) > ° (r 2 D> N) whenever u G and D> M) (u ' (f ^ )a?b) (r 2 > N ) can 
be deduced from the rules for some owner p, where (rj-j 60 — -P^ ec ) — w. 

Note that in (a) the set of owners plays no role, but we leave it there for the sake of 
uniformity. ■ 

This endows Picost configurations with the structure of a more abstract wLTS, whose actions 
depend on the set of owners 0. We refer to this a,s the 0-wLTS and we write C ^— Q W g^ 

V 

whenever there is an amortised weighted bisimulation { lZ n \ n G N } in this 0-wLTS such 
that C TZ n T>. When is the singleton set {e} where the owner e is fresh, that is external 
to the configurations being compared, we abbreviate this to C Eewgt 

V. 

Example 4.12 (Publishing, revisited). Here we use the notation and definitions from 
Example 12.81 and Example 12.91 

First we can compare the profits gained by running the publishing system in differ- 
ent cost environments. As before let T3 2 7 represent any cost environment of the form 
r<2yru news: R n , adv: R a , publish : R p , where these types are (3, 1), (2, 0), (7, 1) respectively, and 
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let T2i6 be the same environment but with these types changed to (2, 1), (1,0), (6, 1). Then 
it is straightforward to exhibit a witness bisimulation to establish 

(r 216 > [p] p ) E e ° wgt (r 327 > [P]p) 

Recall from Example 12.81 that in these cost environments we record the costs of the actions 
relative to their effect on the funds of p the publisher. So this means that that more profit 
can be gained by the publisher p by using the cost regime underlying the environment r 2 i6- 
To investigate the effect of implementing the kickback we consider the two systems 

PA^ (newadv:R a )([P] p | [A] a ) 

PA^ <= (newadv:R a )([P x ] p | [A K ] a ) 

Both these systems use the news resource and provide the publish resource. Here we can 
show, for example, that 

(r 327 > pa k ) c° wgt (r 327 > pa) 

provided Tg^p) is at least 5. See Section IA.2I of the appendix for a description of a witness 
bisimulation. Again because of the way in which we have set up the accounting in the cost 
environments this means that the code PA# is more profitable for the publisher than PA. 
■ 

The abstract O-wLTS has precisely enough information about actions to characterise 
the touchstone contextual behavioural preorder, at least in the extreme case of = {e}. 

Theorem 4.13 (Full-abstraction, external case). For every n € N, (F> M) Eecxt (A > N) 
if and only if {Y > M) C" wgt (A > N). 

Proof. This will follow from the more general full- abstraction result, given in Theorem l4.19i 

□ 

Unfortunately this result is not true for an arbitrary set of external owners 0. Ex- 
ample 14.91 can be used to show that the O-wLTS has not taken into account the fact that 
observers have access to the funds of arbitrary owners in 0. 

Example 4.14. We use the notation from Example 14.91 which in turn is inherited from 
Example 14.21 Let be a set of owners which includes o and the fresh e. Then it is easy 
to check that V > [a\] Q Eo wgt A > [a\] . But we have already argued in Example 14.91 that 

r>[d] 0>[«i ■ 

So we have to revise the O-wLTS to take into account the access which observers may 
have to funds being used by the systems under investigation. 

Definition 4.15 (Fund transfer). For every k £ N let - ' ' P \ be the partial function over 

cost environments defined by letting T - ' lP ^> A whenever A can be obtained from T by 
transferring k funds from owner u to owner p. Formally this partial function is only defined 
when r°(u) > k, in which case A°(u) = r°(u) — k, A°(p) = r°(p) + k, when p / u and 
all other components of A are inherited directly from T; when p = u the operation leaves 
A unchanged. This leads to a new action over configurations, with a new abstract label 
ext(u, k, p): we let 

(Ti > M) ext(u ' fc ' p) ) g, (r 2 D> M) 
whenever T\ - ' ' P \ T 2 , and u, p are owners in 0, where w = (r 2 ec — r^ ec ). ■ 
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This gives rise to yet another LTS whose states are Picost configurations, which we 
refer to as O-awLTS, which induces another bisimulation preorder. But we also need to 
take Proposition 14. 101 into account. 

Definition 4.16 (Abstract weighted bisimulation preorder). A family of relations over 
Picost configurations { lZ n \ n € N } is said to be a Q-abstract amortised weighted bisimu- 
lation whenever 

(i) T > M K n A > M' implies r°(o) = A°(o) for every o in 

(ii) {1Z n | n £ N} is an amortised weighted bisimulation in O-awLTS. 

We write C Eoawgt ^ *° denote the maximal family of such relations. ■ 

Note that these relations { Eoawgt 11 ^ ^} actually coincide with { E™ wgt | n € N } 
when is the singleton external observer {e}; this follows because the extra fund transfer 
actions have no effect: (Tf > M) ext(u,fc ' p) ) i e} (T| > M) if and only if Y\ = T|. 

It also coincides with the preorders used in Section [3. 3\ under certain conditions. 

Proposition 4.17. Let be the set of owners used in the two configurations T and A and 
suppose that all owners in have indefinite funds; that is T(o) = A(o) = oo for every 
owner o <E 0. Then T > M C™ gt A > N implies T > M Eoawgt A > N - 

Proof. Straightforward. When funds are unlimited the constraint (i) in Definition 14.161 is 
vacuous, as is the requirement to match the fund actions labelled ext(u,A:,p). The result 
now follows because every concrete action in the wLTS used in Section [3.31 is automatically 
also an abstract action in O-awLTS. □ 

It follows that the work of Section 13.31 has not been in vain; the proofs in the examples 
can be taken to be about the more abstract preorders Eoawgt- 

The remainder of this section is devoted to showing that, subject to a minor restriction, 
the co-inductive proof methodology based on { Eoawgt I n e ^ } satisfies the informal criteria 
(a), (b), and (c) set out at the begining of this section. It has certain advantages over that 
used in Section 13.31 in matching input and output moves the principles involved do not 
have to match up exactly. However in the general case it also has a disadvantage with cost 
environments in which certain owners have finite funds. If the observer has access to such 
owners then is necessary to establish that the proposed relations between configurations are 
invariant under the transfer of funds between them. Of course in the particular case of a 
purely external observer, where is taken to be {e}, which is possibly the most interesting 
case, then this requirement is vacuous. 

Definition 4.18 (Simple types). The type R = (k u , k p ) is simple whenever k p = 0, meaning 
that resources of type R cost nothing to provide. A cost environment is called simple 
whenever it can be written as T^yni a i '■ Rlj • • • a n '■ Rn where Td yn is a basic environment and 
all Rj are simple. 

Restricting attention to simple types we know that for every resource name a there is 

some k G N such that T - ' ' p ^> A if and only if V - ' ' P ^> A. ■ 

Theorem 4.19 (Full-abstraction). Assuming simple cost environments, for every set of 
observers and every n E N, (T>M) Eo :cx t (&>N) if and only if(V>M) Eo awg t (&>N). 

The proof of this result is the subject of the remainder of this section; we will also see 
how the restriction to simple types can be lifted, at the expense of a generalisation of the 
fund action from Definition 14.151 
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4.2. Full abstraction. First let us consider criteria (a) above, Compositionality. In fact 
we now have a parametrised version of this, O-contextuality from Definition 14.71 which we 
tackle in two steps. First we require a lemma. 

Lemma 4.20. 

(i) Suppose T > M A A > N. Then T,r:R t> M A A,r:R > N. 

(ii) Conversely, suppose V, r : R D> M A A, r : R D> N, where the label A does not describe a 
communication along the channel r. Then 

(a) r > M A A > N 

(b) or the concrete action label A is of the form (u, air, p), in which case T\>M ' i-> 
A,r:R > N. 

(iii) r > M (u ' (r: ^ a?r ' p) A,r:R > N implies V,r:R> M (u 'fp p) A,r:R > N 

Proof. Each statement is proved by induction on the derivation of the judgement. Note 
that for any a in the domain of T, T — '°' P > A if and only if F, r: R - ' ' P ^> A, r : R. □ 

Proposition 4.21 (O-contextual). (r t> M) E 0a w g t ( A » N ) implies (T,r:R > M) E 0awg t 
(A,r:R >N). 

Proof. Let { 1Z n \ n € N } be the family of relations over Picost configurations defined by 
letting (T,r:R> M)K n (A,r:R> N) whenever 

(i) either (T > M) Cg awgt (A > N) 

(ii) or (r,r:R>M) Cg awgt (A, r: R > iV). 

It is sufficient to show that this satisfies the conditions in Definition I4.161 Note that condi- 
tion (i) of this definition is trivial. 

So suppose (r,r:R> M) K n (A,r:R D> N) and (r,r:R > M) -A? {Y',r:R > M') is an 

abstract action. We have to find a matching abstract move (A,r:R>iV) (A', r: R>N'). 

Let us look at the concrete action underlying this abstract action, (r, r : R > M) A (r', r : R > 
M'). Since we know (r > M) is a configuration A can not describe a communication along 
r, and so we can apply part (2) of the previous lemma, to obtain two cases: 

(a) r > M A T' > M'. In this case the required matching move can be obtained using 
the fact that (r > M) Eoawgt ^ -^0> together with an application of part (1) of 
Lemma I4.2UI 

(b) A is the input action (u, air, p), and F \> M ' i-> ' T',r:R> N. Here we again use 
the fact that (r > M) Eoawgt ^ to find a matching weak concrete move from 
(A > N) labelled (u, (r : R)a?r, p') for some owner p'. Part (3) of Lemma I4.2UI can now 
be used to transform this into a required matching move from (A,r:R o N). In this 
case the matching will be because of clause (ii) in the definition of the family lZ n . □ 

Theorem 4.22 (O-contextual). Suppose iY>M\[P] ) and (Ad> N\ [P] ) are both configura- 
tions, whereof 0. Then (T>M) Eo a „ g t (A^A^) implies (r>M|[P] ) Eo awg t ( A > N \[ p ]o)- 

Proof. We follow the standard proof structure, see Section 2.3 of |SW01j . Proposition 6.4 
of [HR04] . Proposition 2.21 of |Hen07| ; however the precise details are somewhat different. 
Let { 1Z n | n € N } be the smallest family of relations which satisfies: 
(i) r > M C£ wgt A > implies r > M lZ n A t> N 
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(ii) r D> M K n A t> N implies (T > M \ [P] ) K n (A t> N \ [P] Q ), whenever o G and both 
(r > M | [P] ) and (A > N \ [P] ) are configurations 

(iii) T,r : Ri t> M K n A,r : R 2 > iV implies T [> (newr:Ri)M^ n A [> (newr:R 2 )iV. 

We show that this family satisfies the requirements of Definition 14.161 up to structural 
equivalence, from which the result will follow. 
First note that for any n, 

T\>MK n A>N implies r, r : R > M ll n A, r : R > N (4.1) 

This can be proved by induction on why T > MlZ n A D> N, with the base case being provided 
by Proposition 14.211 

So suppose r > M TZ n A > N and V > M T' > M d ; we have to find a matching 
abstract move A > N =^S A' > N d such that V > M d 7£("+«-™) A' D> iV d ; the symmetric 

requirement, of matching a move from A > N by a corresponding one from T D> M, is treated 
in an analogous fashion. 

We proceed by induction on why r > M TZ n A D> N, there being three cases, (i), (ii) 
and (iii) above, to consider. In the first case the requirement comes from Proposition 13.41 
We concentrate on case (ii), where we know M,N have the form (M 1 \ [P] )> [N' \ [P] ) 
respectively, where o £ and we know by induction that Tt>M'TZ n A> N' . We now examine 
why ToM' | [P] Q r'>Mrf, and to start let us assume that \x is the label ext(u, k, p), where 

the reasoning is straightforward. This means, by definition, that is M \ [P] , u, p are in 

and r (u,fe ' p) > r / , which in turn implies Tt>M' ext( "' fc ' p) ) g T>M'; moreover incidently k and v 

must coincide, although this fact is not required here. By induction this can be matched by 
an action A\> N' ^ fc ' P k A' > N" such that (r > M') n^'^ (A > N"). This matching 
action can now be transformed into an action of the form A>iV'| [P] ext ( u ' k ' p \ o A'^A^"! [P] Q 

which is easily seen to be the required matching abstract move. 

Having disposed of this simple case we now know that there is a derivation using the 
rules from Figure El Figure [7] of the underlying action 

r > W | [p] Ar'> M d , (4.2) 

where v = (r' rec — r rec ), and A is the more concrete version of the label \i. If M' is responsible 
for the concrete action (|4.2p . then a straightforward application of the induction hypothesis 
will provide the required corresponding move. Suppose instead that [P] Q is responsible, 
that is (|4.2p takes the form 

r>M'\ [p] Ar'o w | [p% (4.3) 

because T > [P']o] here the reasoning needs to be more involved. 

(a) First suppose this move is external, say an output with label A being (o, (f: R)a\v, p) 
for some owner p. Because we are actually matching O-actions we know that this p is 
actually in 0. 

Applying Lemma 13.81 we know that V has the form T", f : R, where T - ' ' P ^> V". The 
use of simple types means that T p (a) = and T u (a) = k for some k, and standard 
resource charging implies that this k is actually v. Thus we have the external move 
r > M' ext ( u ' ,p \ g y" > M' and we know by induction this move can be matched by 
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some A > N' ext(u ' fc ' p) . o A" > N' such that T" > Af' ft( n +«~ m ) A" > AT'. This matching 
move actually has the form 

A > N' =^>S X Ai > N[ ext(u ' fc ' p) > g A 2 D> AT{ =^° 3 A" > N' (4.4) 

with u; = u>i + k + W3 . 

An application of part (iv) of Lemma 13.91 or Lemma 13.81 gives the move Ai > 

[P] ™W*»" A 2 ,f:R>[P'] which can be combined with the pre- and post- r moves in 

(|4.4p to give A > N' \ [P] Q =^> w A", r :R > N' \ [P'] . This is the required matching move 
since we know T" > Af' ft(n+«-«0 A" > N' , from which T",f:R > Af' | [P'] ft^-™) 
A",f :R D> A 7 "' I [P'] follows by the remark (14. If) above and the definition of the family 
{TZ k I k > 0}. 

When the label A in the move (]4.3j) above is an input the argument is very much 
the same but with an application of Lemma 13.91 in place of Lemma I3.8t it is therefore 
omitted. 

(b) Now suppose the move from [P] we are examining is an internal move, taking the form 
r> [P] ^ r'o [P'] - Here we apply Theorem l3.10l and Proposition l2.5| which tell us that 
there are in principle three possibilities, (i), (ii) or (iii). But an analysis of the proof will 
show that for processes of the form [P] case (i) is actually the only possibility. Here V 
coincides with T, implying incidently that v = 0. As we know A[> [P] a is a configuration 
we also get A t> [P] 4Al> [P% and therefore that A > N' \ [P} A> N'\ [P'] Q . 
It is easy to now check that this is the required matching move, since by definition 
r > M I [P] K n A\> N \ [P%. 

We are left with the possibility that the underlying action to be matched, fj4.2j) above, 
involves communication and therefore takes the form 

T > M' I [P] Q ^Lt> (newf :R)(M" | \P'} ) 

There are two cases, depending on whether Af' performs an input or an output. Let us 
consider the latter, the former being similar but slightly easier. So we have 

r > Af' A r',f:R > Af" 

r>[P] Ar',f:R>[P']„ (4.5) 

with A, A taking the forms (u, (f:R)a\v ,0), (u, (r:R)a7v, o) respectively, for some owner u. 
By induction the first move, or rather its abstract version, can be matched because o is an 
owner in 0, giving 

A > N' 4* A x > N[ ^ u '^ a - v ^ A 2 ,f:R' > N' 2 4* A',f:R' > A^" (4.6) 

for some owner u', such that (T',f:R > Af") ft(»»+»-«0 (A', f:R' > N"), where u> = (A' rec - 
A rec ). Note that the type of the extruded names, R', may in general be different than the 
types at which they were extruded by Af', and the owner u' may also be different, thereby 
a priori complicating matters when we try to combine this action with that from [P] , in 
([4"T5l) above. 

However an application of part (ii) of Lemma [3T8l gives Ai — A 2 , and therefore 
from and part (v) of LemmaE2]we get Ai > [P] Q ( " ' (r: ^ a?,; ' o) A 2 ,f:R' > [P'] Q . This 
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concrete move can now be combined with the concrete move (14, 6h to give the required 
matching abstract move A D> N' \ [P] =^> w (new r:R')(N' \ [P%)- □ 

The attentive reader will have noticed that the restriction to simple types was necessary 
in order to be able to model the use of a resource by the observers using actions based on 

the transfer function T — — > A, which records the transfer of k funds, the cost of using 

the resource, from the user to the provider. If we drop the restriction to simple types, 
then the effect of using a resource is more complicated; a certain amount will be debited 
to the user, while another amount, possibly negative, will be credited to the user. This 

can be accommodated by a more general transfer function T — - - - 2 ^' p ^> A, leading in 
turn to a more general abstract arrow in part (d) of Definition 14.111 With this adjustment 
compositionality can also be established for arbitrary types. 

This contextual results leads in a straightforward manner to establishing the second 
informal criteria, (b): 

Theorem 4.23 (Soundness). For every n 6 N and every set of owners 0, (V D> M) Eoawgt 
(A > N) implies {V > M) Cg :cxt (A > N). 

Proof. (Outline) It is sufficient to show that the family of relations { Eawgt | ^ S N } satisfies 
the three defining properties of the family of contextual equivalences. Cost improving follows 
by definition, at least up to structural induction, in view of Theorem 13.101 and the two 
preceding results establish O-contextuality. The final property, Preservation of observations, 
is also straightforward, since, for example, the ability to observe a! from a configuration 
coincides with its ability to perform some output action on the resource a. □ 

The final criteria (c), Completeness, depends as usual on the ability to define contexts 
which capture the effect of each of the abstract O-actions described in Definition 14.111 We 
first make this precise. 

We use two fresh cost-free resources, succ, fail to record the success or failure of tests, 
and a third req for housekeeping purposes. For any T we use T* to denote the cost envi- 
ronment obtained by adding on these resources. Now let \i be an abstract action which 
uses the bound names (f). Then we say \i is definable relative to if for every finite set of 
names F there exists a system using only the owners from such that 

(i) if dom(r u ) C F and T > M -A° A, f : R > N then 

r* > M | Tjf A* > (new r:R) (succ! (f) | N) 

where M' 4 succ! and R f fail! 

(ii) conversely, T* t> M \ T M =^S A* D> M' where M' 4 succ! and M' f fail! implies M' = 
(new f:R) (succ! (f) | N), where T > M =^-° A,f:R > N, whenever dom(r 11 ) C F. 

Theorem 4.24 (Definability). All input, output and external actions are definable. 

Proof. (Outline) Let us look at two examples. First suppose that \x is the label ext(u, k, p) 
where u and p are both in 0; here (f) is empty and the set of names F plays no role. The 
definition of uses a variation on Example 12.71 We use 

[fail! | (newr: Rfc)req!(r).r!. stop] u | [req?(x) .y?.fail?.succ!] p 
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where R& is the type (k, 0). This ensures that whenever (T > M \ T^) evolves at cost w to 
a configuration C such that C JJ- succ but C $ fail then the newly generated resource r must 
have been used by u and provided by p. This is only possible if T* > M can evolve to a 
configuration in which a transfer of k can be made from u to p; that is a configuration T l >M' 

such that r* - ' ' P ^> r* . This in turns implies that we must have V \> M ext ( u ' fc,p ^ o A > N 

for some configuration A\> N. Note the cost here is w because all of the resources used by 
the test TF are cost-free. 

For the second example consider the abstract output action label ((r)o!r, p), where we 
know p is in 0. Here we let T,f be 

[fail! | a?(x) .if x 6 F then stop else fail?.succ!] p 

where x £ F is an abbreviation for a series of tests deciding whether or not x is in the 
finite set of names F. Intuitively whenever this is used in a cost environment T satisfying 
dom(r u ) C F this test will fail only when x is instantiated by a fresh name. 

Once more it is easy to say that the ability of T l \> M \ to evolve to a configuration 
C satisfying C JJ. succ but C J/ fail coincides with the ability of T D> M to do a weak concrete 
move labelled (u, (r : R)a!r, p) for some owner u and type R. Moreover the cost of this weak 
concrete action will be exactly the same as the evolution from r* > M \ T^, because the 
interactions with the test T.f is free. □ 

Theorem 4.25 (Completeness). For every n G N and every set of owners 0, (Tt>M) Eo xxt 
(A > N) implies (T > M) Eo awg t ( A > N )- 

Proof. (Outline) It suffices to show that the family { Eo- C xt I n ^ ^ } satisfies the conditions 
in Definition 14.161 Note that condition (i) is already established by Proposition 14.101 Now 
suppose r > M Eo-cxt A > N and T \> M V > M' . We have to find a matching move 
from A [> N, which is relatively straightforward because of Theorem 14.241 As an example 
suppose fi is the output label ((r)a!r, p), and so T' has the structure r",r:R for some R. 
Because of Compositionality we know r* > M | T M CJ? xt A* > N \ T^. Using the first part of 
the Definability Theorem we know that, up to structural equivalence, 

V t >M\ — ►* T*" > (new r:R) (succ! (r) | M'). 

Using the properties of the family { Eo- C xt I n ^ ^ } ^ ms move m ust be matched by 
move 

A* > N \ —>* w A*" > N" 

where 

r*" t> (new r : R) (succ! (r) | M') ^ v ~ w) A*" > N" (4.7) 

Moreover we know iV" J| succ! and iV" J/ fail! and so the Definability theorem tells us that 
N" = (new r:R') (succ! (r) \ N') where 

A[>iV=^2 A",r:R / C>iV , 
This would be the required matching move, if we had 

T",r:R > M' □SS~ ,o) A",r:R > N' (4.8) 
whereas (|4.7p only gives us, up to structural equivalence, 

r*" > (new r : R) (succ! (r) [ M') d^ V ~ W) A *" > ( new r ■ R (succ! (r) | N') (4.9) 
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However the so-called Extrusion Lemma, see Proposition 6.7 of [HR04] and Lemma 2.38 of 
[Hen07| . can easily be adapted to Picost, to show that the required (|4.8p does indeed follow 
from gJD □ 



5. Conclusion 

In this paper we have developed a behavioural theory based on bisimulations for a 
version of the picalculus, Picost, in which 

• resources have costs associated with them 

• code runs under the financial responsibility of owners, or principals 

• code can only be executed if the owner responsible for it can finance the available trans- 
actions. 

The behavioural theory gives rise to a co-inductive proof methodology for comparing the 
costed behaviour of systems. We have demonstrated the usefulness of the methodology 
by treating some examples, and we have offered at least a preliminary justification for 
the theory in terms of contextual requirements, parametrised on sets of owners. We have 
provided some evidence that the most appropriate theory emerges when this set of observers 
is taken to be some single external observer, external to the owners funding the systems 
being investigated. In particular with this particular set of observers there is no need to 
consider the extra actions ext(u, k, p) when establishing bisimulations. 

The language could be extended in many ways without unduely affecting the underlying 
theory. Perhaps the most obvious extension would be the introduction of ownership types, 
to control which owners can use which resources; this would help in the modularisation 
of systems. One could also introduce a scoping mechanism for owners, limiting the range 
within systems of their financial responsibility. One effect of such extensions would be 
that owners would play a much more significant role in the (abstract) actions on which 
bisimulations are based. Such investigations we leave for future work. 

The language could also be extended with mechanisms whereby processes could be 
aware of which owners are funding which resources, and more importantly base their be- 
haviour on such knowledge. More ambitiously the semantics of the language could be 
generalised so that behaviour is now dependent on some dynamic cost model. There is 
considerable scope here for inventing more realistic cost models, whereby for example costs 
associated with producing/consuming resources could vary according to market dynamics. 
It is likely that a probabilistic setting would be most appropriate for developing such models. 

The underlying theory of weighted bisimulations also deserves attention. For example 
it is not clear if the theory is decidable, even for finite-state systems. More generally it 
would be interesting to have techniques which would calculate the costs necessary to assign 
to actions in order to ensure the equivalence of two systems. There is already an extensive 
literature on weighted automata [DKV09| and decidability issues concerned with them, 
which may help in this regard. 

Related work: The research reported in the current paper grew out of preliminary work 
reported in [HG08j . There a language 7r cost was defined and also given a semantics relative to 
cost environments. But there are significant differences. At the language level the construct 
central to Picost, [P] , is absent in 7r cos t; indeed in the latter there is no representation 
of owners being responsible for specific computations. The cost environments used are 
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Reader: 



Ri 4= goLib?(name) .(newr) R2(r, name) 
R2(r, name) 4= reqR!(r, name).i?3(r) 
R 3 (r) 4= r7(6) .R 4 (b) 
Ri(b) 4= goHome!(6).E 1 



Library: 



Li 4= reqR?(y,z) .L 2 (y,z) 
L2(y, z) 4= L 3 (y, z) (newr)L 4 (r, y, z) 
Lz{y,z) 4= y\(book(z)).Lx 
L 4 (r,y,z) 4= reqS! (r,z).L 5 (y) 
L 5 (y)4=r?(b).L 6 (y,b) 
L 6 (y,b)4=y\(b).L 1 



Store 



Si 4= reqS?(y,z) .S 2 (y,z) 
S 2 (y,z)4=y\(book(z)).S l 



Figure 8: Notation for library code 



also quite different; in 7r cost funds are associated directly with resources, which complicates 
considerably the reduction semantics as the resource types need to be dynamic. Here all 
funds are retained by owners, which simplifies matters considerably, and this facilities the 
introduction of charges for resource usage and benefits for resource provision. Finally the 
behavioural theories are different. The concept of weighted bisimulation is considerably 
more flexible than the cost bisimulations of [HG08], as the latter simply compares the 
relative cost of performing each particular action. 

Weighted bisimulations are a direct generalisation of the notion of amortised bisimula- 
tions from [iK AK0 5]; these were originally defined for a version of CCS, |Mil89) , in which 
only external actions have associated with them a cost. Nevertheless we believe that our 
generalisation is significant, at least in that it will make the concepts more generally appli- 
cable. However similar ideas have a long history in the field of timed process calculi; see 
for example [Tof94] . A good survey of the use of amortisation for timed processes can be 
found in [LV06]. 

Other resource-aware calculi have already appeared in the literature. A typical example 
is the variant of mobile ambients [CGOOJ from [BBDCS03] in which the resource in question 
is space, and the processes in the calculi have a bounded capacity to host incoming ambi- 
ents. Another interesting example may be found in [Tel(.)4] . and related publications, which 
develops a version of the picalculus in which unused resources/channels may be garbage 
collected. Of particular interest to us is the general theory of resource-based computation 
being developed in [CP07] . and related publications. In future work we hope to adapt their 
resource-based modal logic to Picost. 
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= (newreqR:R^)([^i] pub | ( 


new reqS:R^)([Li]| ib 


1 [<Sl]lib)) 


N 2 (n) * 


= (newreqR, 


r)([R 2 {r, n)] pub 


[ (newreqS)([Li]| ib 


1 [5i]i ib )) 


N 3 (n) <= 


= (newreqR, 




(newreqS)([L 2 (r, n) 


]lib [5*1] lib)) 


iV 4 i(n) 


= (newreqR, 


r)([Rs(r)] pub 


(newreqS) ([L 3 (r, n) 


]lib [^l] lib)) 


#51 (6) 


= (newreqR, 


r)([i?4(6)] P ub 


(newreqS)([Li]| ib | [ 


S'ljiib)) 


iy 42 (n) * 


= (newreqR, 


r > r') ([#3(0] pub 


| (newreqS) ([L^r 


»*', ra)]iib | [^x] lib.)) 


N 52 (n) <f 


= (newreqR, 


r,r')([R 3 (r)] pub 


| (newreqS)([L 5 (r 


r% ]b \[S 2 (r',n)U)) 


N 53 (b) * 


= (newreqR, 


r,r')([R 3 (r)] pub 


[ (newreqS)([L 6 (r 


foOliib 1 [SiW) 



Figure 9: Library systems 

A.l. The library. Here we revisit the example on running a library, discussed in Exam- 
ple 12.61 and Example I3.11[ and prove 

^central > SyS centra] ) (r, oca | > SyS loca |) (A.l) 

by exhibiting a witness bisimulation. For convenience we work up to structural equiva- 
lence and modulo /3-moves; essentially these are moves which have no effect on the overall 
behaviour of systems; see |Hen071 [GS96J for details. In Picost these include the actions 
generated by the rules (l-export), (l-unwind), (l-split), (l-match), (l-mismatch). Let 
us assume a set of book names BN, ranged over by n and a set of books BK, ranged over 
by b. 

Let us write T ~ A whenever 

(a) r has the form Td yn , goLib: (0, 5), goHome: (0, 5), reqR:(0, 1), reqS: (0, 1) for some basic 
environment Tdyn 

(b) A has the form Ad yn , goLib:(0,l), goHome: (0, 1), reqR:(0,3), reqS:(0,5) where again 
Adyn is some basic environment. 

(c) dom(r°) = dom(A°) = {pub, lib}, with T°(a) = A°(a) = 00, for every a in its domain. 

So effectively T must be like r centra | with perhaps a different record filed r rec , and A must 
be like F| oca | . Our witness bisimulation will contain pairs of the form 

r > N <-» A > M where r ~ A 

The allowed forms of N are described in Figure [H where for convenience we have omitted 
the explicit occurrence of the local types R£, R^ after the first line. These in turn use 
notation given in Figure [8] for the various processes. The allowed forms for M are identical 
except for the use of the local types R l r , R l s in place of R£, R£. 
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Let the family of relations over configurations { TZ k \ k G N } be determined by the 
following constraints, where we assume in each clause that T ~ A: 

r > Ni K k A > Mi whenever k > 2 

T t> N 2 (n) 7l k A > M 2 (n) whenever fc > 6, n € BN 

T t> Ni(n) 7Z k A > Mj(n) whenever fc > 4, n G BN, z = 3, 41, 51, 42 

T D> Ni(n) K k A > Mj(n) whenever > 4, n G BN, i = 3, 41, 42 

T > iVi(6) ll k A > Mi (6) whenever fc > 0, 6 G BK, i = 51, 52, 53 

It is fairly straightforward, although tedious, to prove that {TZ k | k G N} satisfies the 
requirements of being a weak bisimulation in the wLTS of Section 13.31 up to structural 
equivalence and /3-moves. This is facilitated by the fact that the code in each component 
of the pairs is identical. 

Note that the configuration r centra ] t> Sys centra | /3-reduces to a configuration of the form 
r > N\ and (T| oca | > SyS| oca |) /3-reduces to one of the form A > Mi, where r ~ A, and thus 
(jA.ip above follows. 



A. 2. The publisher. Here we revisit the publishing example developed in Example | 
Example 12.91 and Example 14. 12( by exhibiting a witness bisimulation, again up to structural 
equivalence and /3-moves, we show that 

(r 327 > pa k ) c e ° wgt (r 327 > pa) (A.2) 

subject to minor constraints on T; these constraints allow r°(p) to be finite. The systems 
PA and PA^, in addition to cost-free communications, 

• use resource news; in the definition of the cost environment from Example 12.81 this is 
recorded as a loss of 3, the cost of using news. In the abstract wLTS we are using this 
loss is paid for by the funds in rg 27 (p), while it costs nothing to provide 

• provide resource publish; in the cost environment this is recorded as a gain of 6, namely 
the difference between providing it 7 and using it 1. Also this gain is added to the funds 

of r§ 27 ( P ). 

There are also internal communications which have costs associated with them, namely the 
use and provision of adv; again this is recorded as a loss of 2 which must be funded by 

ri 27 (p)- 

In order to describe the witness bisimulation we use the code abbreviations in Fig- 
ure [TO] and the system definitions in Figure [TTJ All environments we use have the form 
Pdj/m news : R n , publish : R p , and in order to fund the advertising we assume r°(a) = oo. In 
the witness bisimulation { 1Z k \ k G N } all lZ k are identical and this unique relation TZ is 
characterised by the following constraints: 

r e > PA K1 TZ A e > PA 1 5 < r°(p), 5 < A°(p) 

T e > PA K2 (r) K A e > PA 2 (r) 2 < T°(p), 2 < A°(p), r G Chan 

T e > PA K3 (r) K A e > PA 3 {r) r G Chan 

T e > PA Ki (n) K A e D> PAiin) 4 < % < 6, n G News 

T e > PA K7 (n) 71 A e > PA 6 (n) n G News 
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Pi(/i) <= news!(ri).(newr 2 )P 2 (ri,r 2 ) 
P%(r 1 ,r 2 ) <= adv!(r 2 ).P 3 (ri,r 2 ) 
Pz{n,r 2 ) <= n?(n) .P 4 (rt, r 2 ) 
P 4 (n,r 2 ) ^r 2 ?(d).P 5 (n,d) 
P5(n, d) -<= publish?(z) .Pe(n, d, z) 
Pe(n,d,z) <= z\(n, d).(newri )Pi(ri) 

Ai <*= adv?(r) .(newd)A 2 (r, d) 

P^i(n) news!(ri)(newr 2 , k)P K2 (r 1 ,r 2 , k) 
PK2(n,r 2 ,k) ady\{k,r 2 ).P K3 (r 1 ,r 2 ,k) 
PK3(n,r 2 ,k) <= ri?(n) .PK4(n,r 2 ,k) 
PKi(n, r 2 , k) *= r 2 ?(d) .Pj^n, d, k) 
PK5{n, d, k) <= publish?(z) .Pxein, d, k, z) 
P^ 6 (n, d, k, z) k?.P K 7(n, d, z) 

P^ 7 (n, d, z) <= z\(n, d).(newr 1 )P ft ri(ri) 

Advertiser with kickback: Aki <= adv?(/c, r) .(newd)AK 2 (k, r, d) 

A K2 (k,r,d) <= r\{d).(A K \ \ k\) 

Figure 10: Notation for publisher code 

Here we use News to denote some set of news stories. 

It is straightforward to show that this is indeed a weak amortised bisimulation in the 
abstract wLTS relative to the single external observer e. Since r 327 > PA-k /3-reduces to 
r 327 > PA^x and T 327 [> PA ^-reduces to r 327 > PAi, and r 327 [> PA Ki TZ T 327 D> PAi, the 
required (IA.2P above follows. 
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